While both USAID and NASA took steps to assess their payment activities for risk, including conducting a review of select payment streams for improper payments, we identified numerous deficiencies in their procedures. USAID and NASA lacked a systematic method to review and analyze program operations to determine if risks exist, what those risks are, and the potential or actual impact of those risks on program operations. For example, neither USAID nor NASA had developed a process to (1) identify risks that exist in their payment activities or (2) evaluate the results of their payment stream reviews, such as weighting and scoring the effectiveness of existing internal control over payments made and results from external audits. Other weaknesses related to USAID, NASA, or both included a lack of established criteria for payment transaction reviews at the agency component level and no review of grant program payments to ensure awardees have safeguarded federal funds from improper payments. As a result of the inadequacies we identified in their risk assessment process, USAID and NASA cannot be certain that they have no programs or activities susceptible to significant improper payments, and ultimately, have not yet effectively implemented IPIA. Furthermore, risk assessment documentation maintained by USAID and NASA was lacking or insufficient to support their conclusions that no programs or activities were susceptible to significant improper payments.

Results in Brief

Although USAID and NASA have reported on steps taken to recoup improper contract payments, we found that recovery auditing procedures were not consistently performed for each of the 3 fiscal years reviewed. We also noted that documentation was lacking or did not adequately support reported recovery amounts and that neither agency adhered to all of the reporting requirements outlined in OMB's implementing guidance. For example, USAID and NASA did not report on recovery auditing activities in their fiscal year 2004 PARs. NASA reported that it was in the process of awarding a recovery audit contract. USAID reported on the dollar amount of contracts reviewed, but for the sole purpose of addressing IPIA reporting requirements and concluding that its grant and contract payment activities were not susceptible to significant improper payments.

For fiscal years 2005 and 2006, USAID recovery auditing procedures consisted of reviews of certain OIG and external audit reports of USAID. However, the methodology used for conducting those audits may not have constituted a recovery audit as defined by OMB guidance, and thus may be insufficient for this purpose. Also, USAID was unable to provide documentation of audit findings to support any of the recovery auditing amounts included in its PARs. Because of these limitations, we were unable to determine the validity of USAID's recovery auditing activities and accuracy of reported recovery amounts. NASA, on the other hand, used IPIA contract payment review results to report amounts recovered for fiscal year 2005. However, the payment reviews were limited in scope and did not provide an adequate representation of the extent of contract overpayments. For fiscal year 2006, NASA used a contractor to perform a recovery audit. Although the contractor identified about $121 million in potential contract overpayments, NASA officials told us that based on their review, they identified a small portion of that amount as "valid contract claims" totaling $256,255 with subsequent recoveries totaling $139,420. NASA officials determined that a vast majority of the claims submitted by the contractor were not improper as they related to cost-type contracts with provisional billing rates included in the contract terms, and were subject to a final or closeout audit that likely would have identified those payments reported by the contractor. In addition, we noted that both agencies did not adhere to all of the recovery auditing reporting requirements outlined in OMB guidance, including that the agencies had no description of a corrective action plan to address the root causes of payment error or no disclosure of the description and justification of the classes of contracts excluded from recovery auditing.

While USAID and NASA experienced significant challenges in their first 3 years of implementing IPIA and the Recovery Auditing Act, both agencies have taken steps to strengthen their risk assessment process and actions are under way to improve recovery audit efforts. For example, for its fiscal year 2007 risk assessment, USAID developed a database that compiles all of its payment disbursements made worldwide. USAID told us that it will use this database to annually identify its payment streams and corresponding volume and dollar amounts by mission or geographic location, data mine for duplicate payments, research other payment anomalies, and perform tests of transactions. USAID also stated that it plans to leverage the agency's work related to internal controls under OMB Circular No. A-123 requirements to assess control activities for IPIA purposes. For recovery auditing, USAID hired a contractor to carry out a recovery audit over all contract payments for fiscal year 2007. However, because the contractor identified minimal contract overpayments based on its limited review of USAID's fiscal year 2005 contract payments, the recovery auditor determined that it would not be profitable to continue its work at USAID. Going forward, USAID plans to work with its OIG to enhance in-house recovery auditing procedures as performed in past years. Overall, we believe these actions under way will better position USAID to identify and target high-risk areas and determine the effectiveness of control activities to reduce risks of improper payments. However, we note that USAID's current plans still lack a systematic method to determine if risks of improper payments exist, what those risks are, and the potential or actual impact of those risks on operations.

NASA hired a consulting firm to develop a methodology for conducting its fiscal year 2007 risk assessment for IPIA reporting. The consultant categorized the agency's disbursements within specific programs and activities as opposed to payment streams as done by NASA in previous years. Based on its work, the consultant identified 30 programs with approximately $10.8 billion in disbursements to include in NASA's review for determining risk level. The consultant then determined that 5 of the 30 programs were at risk for being susceptible to significant improper payments. NASA subsequently hired another consulting firm to conduct statistical sampling and testing of five different payment categories included in the five programs to determine if the programs were susceptible to significant improper payments, thus requiring NASA to estimate and report on the amounts of improper payments and actions to reduce them. From its review, the consulting firm reported that no significant improper payments were found, but recommended various actions for NASA to take to eliminate future errors. NASA plans to report these results in its fiscal year 2007 PAR. The work of the contractors represents a great enhancement in NASA's risk assessment methodology, when compared to prior years. In addition, NASA hired a recovery auditing firm to perform a recovery audit of its fixed priced contracts, similar to previous years. However, NASA has determined that its interim and closeout audits--including the withholding of final funds until the audit is complete--and adjustments to future billings for ongoing contracts, decrease the risk of contract overpayments, and therefore, consistent with OMB guidance, has excluded other contract types from its recovery auditing program. Although consistent with OMB guidance, NASA's universe of contract dollars subject to a recovery auditing program continues to remain relatively small, less than 20 percent of its total value of contracts. For its fiscal year 2007 PAR, NASA anticipates reporting interim results of initial recoveries related to contract overpayments. Because the contractor had just begun work to develop and execute an approach for conducting the recovery audit, we were unable to determine the reasonableness of the auditors' methodology by the end of our fieldwork.

We make a total of 10 recommendations to USAID and NASA to help improve their efforts to implement IPIA and the Recovery Auditing Act by focusing on performing risk assessments and reporting on efforts to recover improper payments.

We provided a draft of this report to USAID and NASA for comment. USAID did not specifically respond to our recommendations, but provided a technical comment which we incorporated into this report. NASA concurred with our recommendations and also provided technical comments on the draft, which have been incorporated as appropriate. Both agencies' comments, along with our evaluation, are discussed in the Agency Comments and Our Evaluation section of this report. Their comments are also reprinted in their entirety in appendixes IV and V.